Why data breach incidents are on the rise

by Sudhir on March 11, 2014

There are several reasons for the recent increase in data vulnerability, Spiezle said. For one, cybercriminals have become sophisticated and precise by targeting specific companies. Organizations are also simply accumulating and relying on more data than ever before, increasing opportunities for a data breach.

Adding to these challenges is the increased use of outsourcing and cloud services. Businesses need to validate and monitor not only their own data protection strategies, but also their ‘vendors’.

These factors also increase the likelihood that the number and severity of breaches with resulting identity thefts will continue to grow in 2012. A well-designed plan is an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse, Spiezle said.

The OTA guide contains best practices for securing customer data, with information on data governance and loss prevention, incident response plans and how to develop an in-house data breach prevention program, according to Babel.

“These best practices and recommendations are relevant to companies of all sizes — a brickand- mortar store that handles customer personal information will find this guide just as relevant as a large firm that processes personal data on a global scale,” Babel said.

These best practices help businesses develop data protection strategies that help minimize risk to consumers, business partners and stockholders, while increasing brand protection and the bottom line, said Spiezle. These efforts should include broader transparency and more detailed reporting requirements, from the leaders of the organization on down.

“It’s fundamentally mportant that data stewardship, privacy and security no longer become siloed,” Spiezle said. “It really needs to be across a company’s discipline.”

Privacy and Data ProtectionGovernance in Five StepsJinan Budge and Heidi Shey, Contributors

It’s the lifeblood of your business but, as data volumes explode, it’s becoming a herculean task to protect sensitive data and prevent privacy infringements. Companies must understand the laws, regulations and standards for privacy and data protection, as well as ensure compliance with those rules. But where do you go to understand this vast landscape, especially when laws vary drastically from country to country, and even state by state? Where do you start? And is it even your job?

This legal and regulatory landscape is not going away, as much as doomsayers would like it to. In Forrester’s Data Security and Privacy Playbook, we developed a five-step privacy governance framework that enables you to deal with privacy head on, instead of waiting helplessly for harmonization and remaining paralyzed by fear.

Step 1:Define data privacy scope

Understanding the extent of your geography is the first step in knowing your compliance requirements. For example, if your firm does business in all
US states, Canada, and Mexico, you must consider all individual state laws plus two country laws and federal laws. That’s at least 50 data privacy laws in total.” In addition, definitions of personal data vary greatly In California, for example, authorities now see a ZIP code as personal data in and of itself, but other states consider it personal data only if it is in context with other data elements. Without understanding whether the data types that you deal
with, and their classification, are personally identifiable information or not, it’s impossible to protect it appropriately.

Step 2:Determine organizational roles and responsibilities

Misinformed companies often dump privacy and data protection on the shoulders of security professionals. Since they are managing and securing data for the organization, it’s assumed that these professionals also should be responsible for keeping track of the privacy landscape and corresponding legal implications.
In fact, according to Forrester Forrsight’s 2012 Security survey of 2,383 IT executives and technology decision-makers, 49 percent of security organizations today believe that they are fully responsible for managing privacy and regulations, and 77 percent believe that they are at least half responsible. Without a legal background, security professionals must distribute the accountability and involve multiple departments across the organization to ensure compliance, but be careful
not to make security your next silo. One senior partner for a major consultancy illustrated the dilemma this way: “People hear the words personal data, and they assume it is IT. IT says it is security. In fact, a major part of this issue does not involve data protection, IT or security.” To remedy this situation, consider
hiring a dedicated privacy professional or chief privacy officer to ensure that compliance activities are carried out across the organization.

Step 3:Map laws and regulations into business requirements

One of the most common challenges that we hear from clients is translating this rainbow of standards into real-life requirements, controls and business practices. Because lack of harmonization is such a complex a complex issue for most organizations, Forrester recommends creating internal control mapping tools. A chief privacy officer from one of the world’s largest organizations told us that their organization recently implemented an online privacy tool and process map. By bringing together lawyers from around the world, they examined relevant legal requirements and instituted the tool directly into business processes. While reliance on humans may still be necessary at times, the tool allows projects to self-determine their requirements and only seek expensive legal help and organizational engagement in special circumstances.

Step 4:Embed privacy compliance in organizational culture

As with any compliance program, privacy must be deeply woven into the culture of the organization. This includes identifying corporate-wide compliance gaps, creating a plan to close those gaps, and implementing policies and procedures to do so. Persistence will be key. As one security manager told us, “You have to keep your eyes out and remain persistent in your conversations with people until you understand what’s happening and communicate to them what they need to do.”

Step 5:Continuously monitor requirements

It may seem that once you’ve steered through the murky waters of privacy compliance and have finally found some clarity in determining a framework, you run into sudden
or unexpected changes in laws and regulations. But don’t allow this to slow your momentum. Remember that compliance with privacy and data protection laws are continuously evolving, and that security is just one piece of the privacy puzzle.